Kyle Schomp, Mark Allman, Michael Rabinovich. DNS Resolvers Considered Harmful, ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), October 2014.
PDF | Kyle's Slides

Abstract:

The Domain Name System (DNS) is a critical component of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are a notorious security weak spot in the system. We propose an unorthodox approach for tackling vulnerabilities in shared DNS resolvers: removing shared DNS resolvers entirely and leaving recursive resolution to the clients. We show that the two primary costs of this approach---loss of performance and an increase in system load---are modest and therefore conclude that this approach is beneficial for strengthening the DNS by reducing the attack surface.

BibTeX:

@inproceedings{SAR14,
    author    =        "Kyle Schomp and Mark Allman and Michael Rabinovich",
    title     =        "{DNS Resolvers Considered Harmful}",
    booktitle =        "ACM SIGCOMM HotNets",
    year      =        2014,
    month     =        oct,
}

Scribe notes from HotNets talk are here.

Devon Warshaw and Jake McKinnon reappraised our study as part of Stanford's CS 244 course. Their report is available here.